Читать книгу Implementing Enterprise Risk Management - Lam James - Страница 8

Risk can mean different things to different people. The word evokes elements of chance, uncertainty, threat, danger, and hazard. These connotations include the possibility of loss, injury, or some other negative event. Given those negative consequences, it would be natural to assume that one should simply minimize risks or avoid them altogether. In fact, risk managers have applied this negative definition for many years. Risk was simply a barrier to business objectives, and the object of risk management was to limit it. For this reason, risk models were designed to quantify expected loss, unexpected loss, and worst-case scenarios.

In a business context, however, risk has an upside as well as a downside. Without risk there would be no opportunity for return. A proper definition of risk, then, should recognize both its cause (a variable or uncertain factor) and its effect (positive and negative deviation from an expected outcome). Taken thus, I define risk as follows:

Risk is a variable that can cause deviation from an expected outcome, and as such may affect the achievement of business objectives and the performance of the overall organization.

To understand this definition more fully, we need to clarify seven key fundamental concepts. It is important not to confuse any of these with risk itself, but to understand how they influence a company's overall risk profile:

1. Exposure

2. Volatility

3. Probability

4. Severity

5. Time Horizon

6. Correlation

7. Capital

Exposure

Risk exposure is the maximum amount of economic damage resulting from an event. This damage can take the form of financial and/or reputational loss. All other factors being equal, the risk associated with that event will increase as the exposure increases. For example, a lender is exposed to the risk that a borrower will default. The more it lends to that borrower, the more exposed it is and the riskier its position is with respect to that borrower. Exposure measurement is a hard science for some risks – those which result in direct financial loss such as credit and market risk – but is more qualitative for others, such as operational and compliance risk. No matter how it is measured, exposure is an evaluation of the worst–case scenario. Magellan's exposure consisted of the entire equity invested by King Charles I, his own life, and the lives of his crew.

Volatility

Volatility is a measure of uncertainty, the variability in potential outcomes. More specifically, volatility is the magnitude of the upside or downside of the risk taken. It serves as a good proxy for risk in many applications, particularly those dependent on market factors such as options pricing. In other applications it is an important driver of the overall risk in terms of potential loss or gain. Generally, the greater the volatility, the greater the risk. For example, the number of loans that turn bad is proportionately higher, on average, in the credit card business than in commercial real estate. Nonetheless, real estate lending is widely considered to be riskier, because the loss rate is much more volatile. Lenders can estimate potential losses in the credit card business (and prepare for them) with greater certainty than they can in commercial real estate. Like exposure, volatility has a specific, quantifiable meaning in some applications. In market risk, for example, it is synonymous with the standard deviation of returns and can be estimated in a number of ways. The general concept of uncertain outcomes is useful in considering other types of risk as well: A spike in energy prices might increase a company's input prices, for example, or an increase in the turnover rate of computer programmers might negatively affect a company's technology initiatives.

Probability

The more likely an event – in other words, the greater its probability – the greater the risk it presents. Events such as interest rate movements or credit card defaults are so likely that companies need to plan for them as a matter of course. Mitigation strategies should be an integral part of the business's ongoing operations. Take the case of a modern data center. Among potential risks are cyberattack and fire, with the probability of the latter considerably lower than that of the former. Yet should the data center catch fire, the results would be devastating. Imagine that the company maintains backup data as part of its cybersecurity program. Simply housing that data in a separate, geographically remote facility would address both risks at a cost only incrementally greater than addressing just one. As a result, the company can prepare for the highly unlikely but potentially ruinous event of fire.

Severity

Whereas exposure is defined in terms of the worst that could possibly happen, severity, by contrast, is the amount of damage that is likely to be suffered. The greater the severity, the greater the risk. Severity is the partner to probability: If we know how likely an event is to happen, and how much we are likely to suffer as a consequence, we have a pretty good idea of the risk we are running. Severity is used to describe a specific turn of events, whereas exposure is a constant which governs an entire risk scenario. Severity is often a function of other risk factors, such as volatility in market risk. For example, consider a $100 equity position. The exposure is $100, since the stock price could theoretically drop all the way to zero and the whole investment could be lost. In reality, however, it is not likely to fall that far, so the severity is less than $100. The more volatile the stock, the more likely it is to fall a long way – so the severity is greater and the position riskier. In terms of a credit risk example, the probability of default is driven by the creditworthiness of the borrower, whereas loss severity (i.e., loss in the event of default) is driven by collateral, if any, as well as the order of debt payment.

Time Horizon

Time horizon refers to the duration of risk exposure or how long it would take to reverse the effects of a decision or event. The longer an exposure's duration, the greater its risk. For example, extending a one-year loan is less risky than extending a 10-year loan to the same borrower. By the same token, highly liquid instruments such as U.S. Treasury bonds are generally less risky than lightly traded securities such as unlisted equity, structured derivatives, or real estate. This is because investors can shed their positions in liquid vehicles quickly should the need arise while illiquid investments would take longer to sell, thus increasing time horizon – and risk. When it comes to operational risk, time horizon often depends on a company's level of preparation. A fire that burns a computer center to the ground will leave a company exposed until backup facilities come online, so the risk is greater for organizations that do not have well-established and tested procedures in place. Monitoring, preparation, and rapid response are key. With cybersecurity, preventing all attacks is an unrealistic expectation, but malware detection (“dwell time”) and risk mitigation (“response time”) are critical drivers of potential damage. Problems arise when companies do not recognize that a risk event has occurred, thus lengthening the time horizon associated with that risk, or if they have not developed a proper risk mitigation strategy.

Correlation

Correlation refers to how risks in a business are related to one another. If two risks behave similarly – that is, they increase for the same reasons or by the same amount – they are considered highly correlated. The greater the correlation, the greater the risk. Correlation is a key concept in risk diversification. Highly correlated risk exposures increase the level of risk concentrations within a business. Examples include loans to a particular industry, investments in the same asset class, or operations within the same building. Risk diversification in a business is inversely related to the level of correlations within that business. Financial risks can be diversified through risk limits and portfolio allocation targets, which cap risk concentrations. Operational risk can be diversified through separation of business units or through the use of redundant systems. A key objective in operational risk management is to reduce “single points of failure,” or SPOFs.

A word of caution, however: Seasoned risk professionals recognize that price correlations approach one during times of crisis. For example, during the 2008 financial crisis, all global asset prices (e.g., real estate, equities, bonds, and commodities) fell in concert, with the exception of U.S. Treasuries. For this reason, companies should stress-test their correlation assumptions, as diversification benefits may evaporate just when they are most needed.

Capital

Companies hold capital for two primary reasons: The first is to meet cash requirements such as investments and expenses, and the second is to cover unexpected losses arising from risk exposures. The level of capital that management wants to set aside for these two purposes is often called economic capital. The overall level of economic capital required by a company will depend on the credit rating it wants. A credit rating is an estimate of how likely a company is to fail. It is less likely to fail if it has more capital to absorb any unexpected loss. The more creditworthy it wants to be, the more capital it will have to hold against a given level of risk. The allocation of economic capital to business units has two important business benefits: It links risk and return and it allows the profitability of all business units to be compared on a consistent risk-adjusted basis. As a result, business activities that contribute to, or detract from, shareholder value can be identified easily so management has a powerful and objective tool to allocate economic capital to its most efficient uses.

In addition to economic capital, risk managers should consider human capital (management talent, experience, and track record) and liquidity reserves relative to a company's risk profile. The combination of economic capital, human capital, and liquidity reserves represents the “risk capacity” of the company.